A little experience of MySQL security issues

Source: Internet
Author: User
Tags anonymous empty sql mysql mysql client php file php script mysql database

Two days before helping a friend to organize his home page space, found a bit about MySQL may be overlooked by everyone: we know that after installing MySQL, it will automatically create a root user and an anonymous user, the initial password is empty, for the former, Many references will remind you to set a password in a timely manner, and ignore the latter, presumably because the latter is set to be used only for the sake of the machine.

But if your MySQL is to be provided to the Web server for database services, the cost of ignoring this anonymous user can be very heavy, because by default, this anonymous user on the localhost almost have the same privileges as root, this time, if your client has upload script files, The ability of a script file to perform MySQL database operations, such as PHP that allows you to manipulate MySQL, may have changed your MySQL beyond recognition:

Today, I helped my friends to clean up his home page space, trying to write a very simple PHP file to execute the SQL statement upload, which user,password in the connection word I tried to empty, host=localhost, found that my SQL statement can be executed, So the select * from Mysql.user to see the user rights, found that the user in localhost permissions are very high, even grant_priv have, (see, you will find under the root of two lines of user name, the password is empty, but the permissions are y\n, This is the anonymous user. Local, remote permissions set)

So I tried to use this PHP page to create a new user, and Grant gave him a high level of authority to succeed so that I could use this new user to connect to MySQL server on this site via my native MySQL client, With this newly established user's management authority to this website's MySQL server management, sees oneself can carry on this easy to obtain the thorough database operation, how can I dare to put the friend's homepage space sensitive material into this MySQL server?

Recommendations for improvement:

1, after the installation of MySQL, not only to change the root password, but also to change the anonymous user's password, the method is similar to the way to change the root password:

mysql> UPDATE User Set Password=password (' Yournewpassword ') where user= ';

Mysql>flush privileges;

2, if not necessary, delete this anonymous user, so that all people to use MySQL must provide a username, even if there is a problem later, it is easy to find the source of the problem.

3. In addition to the root user, other users, including anonymous users (if no deletion of this user) should not have grant permissions to prevent uncontrolled spread of administrative rights.

4, to give users the right to Update\delete\alert\create\drop, should be limited to a specific database, especially to avoid ordinary customers have to do the operation of the MySQL database permissions, or your system settings are likely to be replaced.

5, check the Mysql.user table, eliminate unnecessary users Shutdown_priv,reload_priv,process_priv and File_priv permissions, these permissions may leak more server information including non-MySQL other information out.

6, if you do not intend to let your users use the MySQL database, in the provision of such as PHP script language, reset or compile your PHP, to cancel their default support for MySQL.



Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.